Podcast Summary: Security Now Episode 1029 – "The Illusion of Thinking"

Release Date: June 11, 2025

Hosts: Leo Laporte & Steve Gibson

1. Tribute to Bill Atkinson ([10:07] – [19:34])

The episode opens with a heartfelt tribute to Bill Atkinson, a pivotal figure in Apple's history and a member of the original Macintosh development team. Steve Gibson shares his admiration for Atkinson, highlighting his contributions to early Mac software such as QuickDraw, MacPaint, and HyperCard. Atkinson's untimely passing due to pancreatic cancer has resonated deeply within the tech community.

Notable Quote:

"Bill was a principal designer and developer of the GUI for Apple's Lisa and later became one of the first 30 members of the original Apple Mac dev team."
— Steve Gibson [13:38]

Leo Laporte reminisces about his interviews with Atkinson, emphasizing the generosity and brilliance of his late friend.

2. Meta and Yandex Tracking Method ([19:34] – [60:46])

Steve Gibson delves into a concerning discovery involving Meta (Facebook) and Yandex. Recent research unveiled that native Android apps from both companies are silently listening on fixed local ports to track user activities. This method enables them to link mobile browsing sessions and web cookies directly to real-world user identities, effectively bypassing traditional privacy protections.

Key Points:

• Meta's Methodology: Meta-owned apps like Facebook and Instagram listen on specific TCP and UDP ports. Their embedded Metapixel JavaScript on 5.8 million websites communicates with these ports to transmit user identifiers.
• Yandex's Approach: Similar tactics are employed by Yandex through their Metrica scripts, which resolve to the localhost IP, making detection more challenging.
• Privacy Implications: This tracking method circumvents user privacy controls such as clearing cookies, incognito mode, and advertising ID resets. Additionally, malicious apps could exploit this vulnerability to intercept browsing data.

Notable Quotes:

"Meta has been up to... the design and installation of these covert backdoors in their apps which can only have the purpose of communicating with Matching user tracking web scripts spread across 5.8 million Internet sites."
— Steve Gibson [56:28]

"This is an interesting and extremely privacy invasive hack."
— Steve Gibson [38:05]

Discussion Highlights:

• Immediate Response: Upon the report's publication, Meta ceased the tracking behavior immediately, indicating awareness of the wrongdoing.
• User Mitigation: The only effective way to prevent such tracking is to remove the affected apps from one's device.
• Browser Vulnerabilities: While browsers like Brave have implemented measures to block such tracking, others like Chrome, Firefox, and Edge remain susceptible.

3. New EU DNS Service ([60:58] – [73:23])

The European Union has launched its own DNS service named "Join DNS 4 EU," aiming to provide secure and privacy-focused DNS resolvers as an alternative to foreign services like those based in the US.

Key Features:

• Targeted Users: Dedicated DNS profiles for governments, telcos, and home users.
• Security Enhancements: Built-in filters for malicious and malware-linked domains, managed centrally by EU threat intelligence analysts.
• Performance: While highly effective within the EU, benchmarks indicate significantly slower response times (163-173 ms) for users outside the region, such as those in Southern California, compared to services like Cloudflare's 1.1.1.1 which offer ~20 ms.

Notable Quotes:

"These EU resolvers include built-in DNS filters for malicious and malware-linked domains that is filtering them out that prevent users from connecting to known bad sites."
— Steve Gibson [65:17]

Discussion Highlights:

• Ownership and Management: The DNS service is managed by a consortium led by the Czech security firm Whalebone and includes members from various EU countries.
• User Choice: Home users can select from different DNS profiles based on their needs, such as ad-blocking or child protection.
• Performance Considerations: The service is optimized for EU users, offering robust security at the expense of speed for users in other regions.

4. Recent Security Incidents ([73:27] – [111:47])

Steve and Leo cover a series of recent security-related news:

• Reddit vs. Anthropic: Reddit has initiated legal action against Anthropic for scraping and utilizing Reddit comments to train its Claude AI chatbot.

• Twitter's X Chat Security Flaws: A researcher criticized Twitter's encrypted X Chat messaging platform, suggesting vulnerabilities that allow Twitter to intercept private keys and metadata, rendering the encryption ineffective.

• Servicing Issues:

  • Login.gov Vulnerabilities: The U.S. Government Accountability Office (GAO) reported that Login.gov lacks policies to verify the functionality of its backups, posing risks of extended system outages.

• Erlang OTP Vulnerability ([92:33] – [95:07]): A critical CVSS score of 10.0 was assigned to a vulnerability in Erlang OTP's SSH library, allowing unauthenticated remote code execution. Users are advised to disable SSH servers or implement firewall rules as a temporary workaround.

Notable Quotes:

"A malicious actor could... gain unauthorized access to affected systems and execute arbitrary commands without valid credentials."
— Steve Gibson [93:51]

"They [Meta and Yandex] are thinking, they are not your friends, amoral."
— Steve Gibson [58:16]

Discussion Highlights:

• Telegram Message Interception: Reports indicate that Russia's FSB has the capability to intercept messages sent to certain Ukrainian Telegram channels, potentially leading to treason charges against Russian citizens.

• EU's DNS Service Performance: While the EU-based DNS service performs excellently within Europe, it suffers from high latency for users outside the EU, making it impractical for global use.

• Erlang OTP SSH Vulnerability: The critical vulnerability poses significant risks for systems utilizing Erlang OTP for SSH services, emphasizing the need for immediate mitigation measures.

5. Apple's Research on Large Reasoning Models ([111:47] – [162:21])

A significant portion of the episode is dedicated to discussing Apple's recently released research paper titled "The Illusion of Thinking: Understanding the Strengths and Limitations of Reasoning Models via the Lens of Problem Complexity."

Key Insights:

• Research Objective: Apple aims to assess whether current large reasoning models (LRMs) genuinely exhibit reasoning capabilities or merely perform advanced pattern matching.

• Methodology: The study utilized controlled puzzle environments, such as the Towers of Hanoi, with adjustable complexity to evaluate both final answers and internal reasoning processes of various models, including OpenAI's O3, Deepsea R1, Claude 3.7, Sonnet Thinking, and Gemini Thinking.

• Findings:

  • Three Performance Regimes:

    1. Low Complexity: Standard LLMs outperform LRMs in efficiency and accuracy.
    2. Medium Complexity: LRMs show improved performance due to their reasoning capabilities.
    3. High Complexity: Both LLMs and LRMs experience a significant drop in performance, indicating a lack of true reasoning.

  • Reasoning Effort: Surprisingly, as problem complexity increases beyond a certain point, LRMs reduce their reasoning tokens despite having sufficient resources, suggesting a scaling limitation.

  • Reasoning Traces: Analysis revealed that LRMs often explore incorrect solutions even after identifying the correct one, leading to inefficient problem-solving and eventual failure in high-complexity scenarios.

Notable Quotes:

"Despite sophisticated self-reflection mechanisms, these models fail to develop generalizable reasoning capabilities beyond certain complexity thresholds."
— Steve Gibson [135:07]

"This suggests LRMs possess limited self-correction capabilities that, while valuable, reveal fundamental inefficiencies and clear scaling limitations."
— Steve Gibson [135:12]

Discussion Highlights:

• Towers of Hanoi Analysis: Both standard LLMs and LRMs performed flawlessly with up to three disks. However, as the number of disks increased, LRMs outperformed standard LLMs up to eight disks, after which both models failed to solve the puzzle reliably.

• Concept of "Illusion of Thinking": Apple's research underscores that while LRMs appear to reason through complex problems, their capabilities are limited by inherent scaling issues and reliance on pattern matching rather than genuine understanding.

• Implications for AI Development: The study raises critical questions about the true reasoning abilities of current AI models and highlights the need for advancements beyond merely increasing computational power or training data.

Conclusion: Apple's research provides a sobering perspective on the limitations of today's AI models. While they offer impressive performances in controlled scenarios, their inability to generalize reasoning across varying complexities questions the notion of their "thinking" capabilities. This work encourages the tech community to reevaluate the metrics and benchmarks used to assess AI reasoning.

6. Additional Security News ([162:21] – [166:28])

The hosts touch upon a recent vulnerability where security researchers accessed live feeds of 40,000 internet-connected cameras worldwide. These cameras were improperly secured, exposing sensitive environments like data centers, healthcare facilities, and factories.

Notable Quote:

"Security researchers have managed to access the live feeds of 40,000 Internet connected cameras worldwide. These are not cameras intentionally made public."
— Leo Laporte [162:19]

Discussion Highlights:

• Scope of the Breach: The compromised cameras were inadvertently exposed due to security misconfigurations, highlighting the ongoing challenges in securing IoT devices.

• Potential Risks: Unauthorized access to such cameras can lead to privacy invasions, espionage, and other security threats affecting both individuals and organizations.

• Preventative Measures: Emphasizes the importance of securing all internet-connected devices with robust authentication mechanisms and regular security audits.

7. Closing Remarks and Additional Information ([166:28] – [End])

Leo Laporte and Steve Gibson conclude the episode by promoting their respective platforms and encouraging listeners to engage with their content through various channels such as YouTube, Discord, and their websites. They also briefly mention upcoming topics and express their commitment to providing in-depth security analyses in future episodes.

Final Thoughts:

Episode 1029 of Security Now offers a comprehensive exploration of current cybersecurity threats, privacy invasions by major tech companies, and critical evaluations of AI reasoning models. The hosts adeptly navigate complex topics, providing listeners with valuable insights and actionable information to safeguard their digital lives.

For more detailed information, transcripts, and show notes, listeners are encouraged to visit the Security Now website.